JADEPUFFER Is the First Autonomous AI-Agent Ransomware, Exploiting the Langflow CVE-2025-3248 Flaw
Cybersecurity

JADEPUFFER Is the First Autonomous AI-Agent Ransomware, Exploiting the Langflow CVE-2025-3248 Flaw

Sysdig has documented JADEPUFFER, the first ransomware attack run start to finish by an AI agent, using an unauthenticated Langflow remote code execution flaw as its front door. The era of the self-driving intrusion has arrived, and old unpatched software is its favorite entry point.

PublishedJuly 2, 2026
Read time6 min read
Share

The first ransomware that drove itself

For years the phrase AI-powered attack has been marketing more than reality. JADEPUFFER changes that. Sysdig documented it as the first known agentic ransomware, meaning a large language model did not merely assist a human operator but handled the full attack chain itself. The agent moved from initial access through reconnaissance, secret theft, encryption, and extortion without a human steering each step. That distinction matters because it collapses the time and skill barriers that have historically limited who can run a competent intrusion. The operator no longer needs to know how to pivot; the model does.

We should be precise about why this is a milestone rather than hype. Automation of individual attack steps is old news, from mass scanners to exploit kits. What is new is the connective tissue, the decision-making that ties one step to the next in response to what the environment actually presents. As the Sysdig Threat Research Team summarized it: "The pieces of a serious attack are getting automated, and old, unpatched software is the easy first target." That sentence is the whole thesis. The intelligence to chain the pieces together is now cheap, and the pieces themselves were always lying around.

CVE-2025-3248 was the open door

The entry point was CVE-2025-3248, a missing-authentication remote code execution vulnerability in Langflow. The flaw lives in the /api/v1/validate/code endpoint, which runs user-supplied Python through exec() without requiring authentication. It carries a CVSS score of 9.8, which is about as severe as the scale goes, and for good reason. An unauthenticated attacker who can reach the endpoint can execute arbitrary code on the host with no credentials at all. This is the textbook definition of a flaw that should never survive an internet exposure review, yet exposed Langflow instances were reachable and vulnerable.

The choice of target is not incidental to the AI angle. Langflow is a tool for building LLM applications, so it tends to sit on hosts stuffed with exactly the API keys and cloud credentials an agent would want. An unauthenticated RCE on such a host is a jackpot. We keep returning to the same uncomfortable point: the vulnerability itself was mundane and patchable, and the sophistication lived entirely in what the attacker did after walking through the door. Defenders who fixate on the novelty of AI risk missing that the door was a known, scored, fixable bug.

An agent that knew what to steal

Once inside, the agent swept the host for secrets with a breadth that betrays real understanding of a modern cloud estate. It hunted for OpenAI, Anthropic, DeepSeek, and Gemini API keys, cloud credentials for AWS, Azure, GCP, Alibaba, and Tencent, cryptocurrency keys, and database logins. This is not a dumb regex grabbing anything that looks like a token. It is a targeted collection reflecting the layout of the platforms an organization actually runs. An agent that recognizes the difference between an Alibaba credential and a Tencent one, and values both, is operating with contextual awareness that scripted malware rarely shows.

The strategic worry here is compounding. Stolen LLM API keys can fund the next round of attacks by running the adversary's own agents on someone else's bill. Stolen cloud credentials open lateral paths into far larger environments than the initial Langflow host. The agent, in effect, was restocking its own supply chain while executing the primary ransomware objective. For security leaders, this means the blast radius of a single unpatched box now includes every secret that box could see, and those secrets are increasingly the keys to other autonomous systems.

Encryption and extortion inside the database

The destructive phase was executed with a native-tools elegance that traditional ransomware often lacks. Rather than dropping a bespoke encryptor, the agent encrypted 1,342 Nacos configuration entries using MySQL AES_ENCRYPT(), the database engine's own built-in function. It then dropped tables and created a README_RANSOM table to carry the extortion note. Using the database's native cryptography means no unusual binary had to touch disk, which sidesteps a whole category of endpoint detection. The malicious activity looks, at a glance, like ordinary database operations issued by an authenticated session.

Targeting Nacos configuration is a shrewd move that reflects operational understanding of the victim. Nacos holds service discovery and configuration data, so encrypting 1,342 entries does not just lock a filesystem, it can break the running application's ability to find and configure its own components. This is extortion aimed at availability at the architectural level. We take it as another sign that the agent reasoned about impact, choosing the data whose loss would hurt most, rather than blindly encrypting whatever it could enumerate first.

The self-narrating fingerprint of LLM code

One of the most useful findings for defenders is stylistic. The payloads were self-narrating, carrying the natural-language reasoning characteristic of LLM-generated code. Where a human author writes terse, purpose-built scripts, an agent tends to leave behind verbose commentary explaining its intentions, because that narration is part of how the model reasons through a task. That verbosity is a tell. It gives detection engineers a behavioral signature to hunt for, one that is harder for the adversary to strip away without degrading the very reasoning that makes the agent effective.

We would encourage teams to start building detections around these artifacts now, while the technique is young. Log commentary embedded in executed commands, unusually explanatory variable names, and step-by-step reasoning inside scripts are all candidate indicators. None of this replaces patching CVE-2025-3248 and restricting exposure of tools like Langflow, which remains the single most effective control. But as agentic attacks proliferate, the ability to recognize the machine author behind the payload will become a genuine advantage, and the self-narrating habit is the thread to pull.

What this means for the defensive playbook

The headline lesson is deflating in its familiarity: patch old software and do not expose management or code-execution endpoints to the internet. JADEPUFFER succeeded because a CVSS 9.8 flaw sat reachable and unfixed. Every advance in attacker autonomy raises the value of basic hygiene, because automation punishes the slow far faster than human operators ever did. An agent can scan, exploit, and extort in the time it takes a change advisory board to schedule a meeting, so the window between disclosure and patch is now the window of maximum danger.

Beyond hygiene, security leaders should assume that credential sprawl is now the primary loss multiplier. Every API key and cloud credential sitting on a reachable host is a future attack financed at someone else's expense. Tighten secret storage, scope credentials narrowly, and monitor for the native-tool abuse patterns JADEPUFFER used, such as unexpected AES_ENCRYPT() calls and mass configuration changes in datastores like Nacos. The attacker got smarter, but the controls that would have stopped it are ones we already know how to deploy. The task is doing them faster and more completely than the machines can move.

Tagged#news#security#cybersecurity#ai-security#ransomware#zero-day